Digital signatures are a tool to prevent man-in-the-middle vulnerabilities. The value of the signature depends on both the private key and the message and can be verified using the public key and the message. If a man in the middle tries to change the contents of the message, but they don't change the signature, then the verification will fail.
posted by martinX's bellbottoms at 5:31 PM on March 10, 2011

The signature authenticates both the sender and the content of the message. If you change the content, the signature will no longer be valid. Also, the signature on its own is worthless; you need the user's actual public key (which you are supposed to get by other means, such as a keyserver) to authenticate it.
posted by zsazsa at 5:31 PM on March 10, 2011

It is a way for the sender to say "This was written by me, and I can prove it." Much like a traditional signature is (supposed to be) a way to verify that you've seen and signed a document in real life. Except, a PGP signature can be much more trustworthy.

The PGP signature on the email is a function of both the content of the message and the user's secret key. The only way* to generate the specific PGP signature is to have the message content, the private key, and the passphrase associated with the private key. Essentially, PGP does math on the message and the private key and generates a result that links the two together in a verifiable way.

If you have the user's public key and a copy of PGP, you can verify that the signature is valid.

*not really, but barring a flaw in PGP, it is too computationally difficult to do it any other way
posted by i love cheese at 5:33 PM on March 10, 2011

If you look closely, you'll notice that the signature is different for each message. What happens is that the sender, who we'll call Alice, uses PGP to compute a digital signature based on both the text of the message and a secret key that only Alice knows. Then she sticks that key at the end of her message. When you, who we'll call Bob, receives the message, he can use Alice's public key along with the message body to validate the signature. If anyone changes the message in any way en-route, the signature won't validate and Bob knows its a forgery.

Essentially it's just like the public key encryption scheme you're used to, but the message isn't encrypted so that people can still read it without keys or special software. The signature protects against tampering.
posted by zachlipton at 5:36 PM on March 10, 2011

Signatures take the body of the email (or at least the parts between two markers like ------ PGP BEING ------ and ------ PGP END ------) and generates a hash of the content. Most hashing functions take a large amount of data and produce a fixed size value of it; and given the same data will always produce the same fixed sized value. Examples of hashing functions that you might recognize (but are not necessarily used in PGP signed emails): MD5, SHA-1, SHA-2, etc.

Then PGP takes this hash value and encrypts it with your private key. This is the signature.

The recipient, if they wish to validate that the message both (a) has not changed and (b) is from the person it says it is from, follows these steps:

1) Take the body of the email and hash it using the same hash function.

2) Take the encrypted hash in the message and decrypt it using the person's public key.

3) Compare the value from (1) to the value from (2).

If the message is not from the right person, then you will get an error or wrong hash on decrypting the signature. If the message has been altered, then the hash you compute will not match the signature hash.

Now, because a hash function takes an infinite amount of data and turns it into a fixed sized hash there is certainty that infinitely other messages match the same hash as your message. However, the likelihood that these matching messages have any useful meaning is pretty slim (you can also do tricks like encrypting the message size in the signature so that the number of matching messages is greatly reduced).
posted by sbutler at 5:37 PM on March 10, 2011

public key (which you are supposed to get by other means)

This is important to avoid the man-in-the-middle attack. If I send you a message containing my public key, then send you a message signed by my private key, there is still scope for a man in the middle to replace those with his public key and the same message signed by his private key.
posted by We had a deal, Kyle at 5:53 PM on March 10, 2011

When people attach a "pgp signature key" to their e-mails

PGP keys and PGP signatures are totally different things, don't confuse the two. They do look similar (a block of base64 with ----- lines above and below).

If someone attaches a key, that's just a convenience— they're saying, "hey, here's a key, you can use it to communicate with me"— but it's kind of pointlessly verbose. Most people will just include a key fingerprint or key ID (a much shorter string of digits) and you can get the key from a keyserver based off that.

OTOH, if someone signs a message then, if you verify that message you can confirm that it was written by someone who had access to the corresponding key. (If you just copy-and-paste the signature, it won't verify any more. If you don't verify the signature, then PGP is doing nobody any good.) Ideally, the only person who has the secret key is the person you think you're talking to. This leads to the most complicated part of any verification system—

that seems to suffer from a huge man-in-the-middle vulnerability

What does it mean for someone to be who you think they are? That sounds like a philosophical question but it's really very practical. There are many answers to this. One answer is that you've talked to this person before and you want to know you're talking to the same person. This is the most important sense of identity; you can use PGP to verify it by getting that person's public key from them directly (in person, say) or by using the "web of trust" to let other people vouch for this person in some way that is meaningful to you. Another answer is that this person is "really named" John Foobar. This sense is useful in some cases, but it falls apart really easily in practice.
posted by hattifattener at 7:11 PM on March 10, 2011

I'd put it this way - when I PGP SIGN an email I send - I'm doing it so that, later on, if it's content or origin ever came into question, I can prove whether something did or didn't come from me.

Whether others are using it to validate that something came from me is often less important than my having a rock-solid audit trail for myself.
posted by TravellingDen at 10:55 PM on March 10, 2011 [1 favorite]

PKI has two modes: encryption and digital signature.

Encryption tech people are familiar with: you encrypt something with someone else's public key and only the corresponding private key can decrypt it.

With a digital signature, you reverse the two. You do some operation (according to comments above, a hash) and encrypt that with your private key, and anyone with your public key can decrypt it. If the message was modified or signed by the wrong private key, it's detectable in software.

This is all separate from public key distribution, which is where the whole thing seems least reliable in society. Kaminsky DNS exploits, CAs signing anything that moves, etc.
posted by pwnguin at 6:43 AM on March 11, 2011

A secondary reason, besides the issue of ensuring that someone can't impersonate you, is to help with the web of trust. In an ideal world, you're supposed to validate someone's public key fingerprint in an out-of-band manner: you meet them personally and they tell you that their public key ends in 0xdeadbeef or whatever. But in many cases, this isn't possible. Instead you tend to rely on public keyservers or public websites, but the problem then becomes how do you know that a key or a site claiming to be published by John Smith really represents John Smith? Anyone can publish anything on the web, and a determined person could put up a page claiming to be John Smith that lists the attacker's public key and not John Smith's actual key, and the manipulate google or whatever to get that site to rank higher. How do you know which key is his if you want to send him something sensitive and private? Well, if he has been signing his emails you can go onto the public mailing list archive and look at the record and see that the real John Smith has signed a few thousand messages using the public key with fingerprint 0xdeadbeef, and yet this website that claims to be John Smith lists a different key so it's probably bogus.
posted by Rhomboid at 6:11 PM on March 11, 2011

This thread is closed to new comments.